Closed arayzw closed 2 years ago
Thanks for reporting this issue. It seems that the file is not an AVS2 compliant stream. I'll fix this issue by checking the valid range later.
It appears that this issue has a CVE assigned: CVE-2022-36647
@arayzw @carnil Thanks for reporting this issue. It was solved in the latest commit (b41cf117452e2d73d827f02d3e30aa20f1c721ac).
Describe the bug
Bug Relevant code as follows:
==================================================================================== static int parse_sequence_header(davs2_mgr_t mgr, davs2_seq_t seq, davs2_bs_t *bs) { ......
}
====================================================================================
This is a security issue.
To Reproduce
cd /path/to/davs2/build/linux/ ./configure --enable-pic vim config.mak (add -fsanitizer=address to CFLAGS, and -fsanitizer=address -lasan to LDFLAGS) make ./davs2 -i /path/to/poc1.avs -o test.yuv
ASAN Crash log
================================================================= ==4112727==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555555956808 at pc 0x5555555a44d0 bp 0x7fffffffc910 sp 0x7fffffffc900 READ of size 4 at 0x555555956808 thread T0
0 0x5555555a44cf in parse_sequence_header /root/arayz/davs2/source/common/header.cc:269
0x555555956808 is located 24 bytes to the left of global variable 'BETA_TABLE' defined in '/root/arayz/davs2/source/common/header.cc:69:22' (0x555555956820) of size 64 0x555555956808 is located 8 bytes to the right of global variable 'FRAME_RATE' defined in '/root/arayz/davs2/source/common/header.cc:121:24' (0x5555559567e0) of size 32 SUMMARY: AddressSanitizer: global-buffer-overflow /root/arayz/davs2/source/common/header.cc:269 in parse_sequence_header Shadow bytes around the buggy address: 0x0aab2ab22cb0: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 06 0x0aab2ab22cc0: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 00 04 0x0aab2ab22cd0: f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 0x0aab2ab22ce0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0aab2ab22cf0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x0aab2ab22d00: f9[f9]f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9 0x0aab2ab22d10: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 0x0aab2ab22d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2ab22d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2ab22d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2ab22d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4112727==ABORTING
Additional context
PoC: poc1.zip